The flaw in Apple’s picture-handling Image I/O API means that a malicious Tagged Image File Format (TIFF) file can cause a so-called buffer overflow, which makes it easy for a hacker to override Apple’s security and run their own code on the device.
Advertisement
Depending on the delivery method chosen by an attacker, this bug could be exploited through methods that don’t require user interaction, Talos said, since many apps, such as iMessage, automatically attempt to render images when they are received in their default configurations.
According to security research outfit Cisco Talos, Apple devices including the iPhone, Mac, Apple TV and Apple Watch can be corrupted simply by receiving a malicious image text, whether through iMessage, MMS, Mail or webpages on Safari. A hacker can craft a special BMP file which triggers an out-of-bounds write when opened in an app using CoreGraphics.
In an article by Consumerist, the hackers can access the users’ device through an infected iMessage or an electronic email that has a bad *.tiff image file.
Apple issued updates for iOS, OS X, WatchOS and tvOS on Monday that patched a security hole that could allow hackers to steal login and password data as you type it.
Many news outlets equated the bug to the so-called Stagefright malware, which was a bona fide Android exploit. “This vulnerability can be exploited to then cause remote code execution on the device”, said Bohan. Users are being warned after researchers at Cisco revealed a flaw in the older versions of Apple’s iOS and MacOS software that could allow hackers into their device.
TIF images are the ones singled out that could place outdated iOS or OS X at risk. Apple itself strongly recommends installing on a secondary system or device.
Cisco waited for Apple to release a patch before unveiling the details about the security vulnerability.
To protect your iPhone, go to Settings General Software Update and select “download and install” to upgrade to iOS 9.3.3.
Advertisement
The researchers who found out about the malware state that the malware infect all versions of iOS and OS X preceding the most recent update.
